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Response to Amendment 

This office action is responsive to Applicant's amendment received on 
9/21/2007. Claims 105-115, 127-128, 131-133, 140, and 146 are amended. Claims 150- 
167 are added. Claims 105-107, 109-118, and 127-167 are pending. 



Response to Arguments 

Applicant's arguments with respect to claims 105-107, 109-118, and 127-167 
have been considered but are moot in view of the new ground(s) of rejection. 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 105-107, 109-118, and 127-167 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Kouznetsov, (U.S. Patent No. 6,973,577), in view of Chess et 
al., (U.S. Patent No. 6,772,346 and Chess hereinafter), in further view of Hill et al., (U.S. 
Patent No. 6,088,804 and Hill hereinafter). 
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Regarding claims 105, 115, 117, 127-128, 151-152, and 159-167, Kouznetsov 
discloses a computer-implemented method comprising: 

selecting an active program on a computer system as code under investigation 
(i.e., wherein code under investigation is each of the incoming system calls 91,92, and 
93 generated by the applications 33, 34, and 35 (shown in figure 2))), and executing 
malicious code detection code (MCDC) on the computer system (i.e., monitor/analyzer 
19), wherein the MCDC includes a detection routine (i.e., static analyzer 52 and 
dynamic analyzer 53)(col. 4, lines 47-58), wherein said executing includes: 

applying the detection routine to the code under investigation to obtain a result, 
weighting such result to obtain a score indicative of whether the code under 
investigation has characteristics and/or behaviors typically associated with malicious 
code (i.e., static analyzer 52 performs behavior checking and generates alerts and 
histograms only if patterns of suspicious events are observed. Dynamic analyzer 53 
analyzes histograms and identifies behavioral repetitions within the histograms which 
indicate behavior characteristic of a computer virus/compromise)(col. 4, lines 38-67 and 
col. 5, lines 1-7); 

using the score (i.e., the results indicated by static analyzer 52 and dynamic 
analyzer 53) to categorize the code under investigation with respect to the likelihood of 
the code under investigation compromising the security of the computer system (i.e., 
computer viruses are self-replicating program code which often carry malicious and 
sometimes destructive payloads and "malware" can include Trojan horses, hoaxes, and 
spam mail - col. 1, lines 45-48)(col. 5, lines 18-67 and col. 6, lines 1-30); 
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using the score to categorize the code under investigation with respect to the 
likelihood of the code under investigation compromising the security of the computer 
system (i.e., computer viruses are self-replicating program code which often carry 
malicious and sometimes destructive payloads and "malware" can be categorized in 
the following: Trojan horses, hoaxes, and spam mail - col. 1, lines 45-48)(coL 5, lines 

18- 67 and col. 6, lines 1-30). 

Kouznetsov does not explicitly disclose a weighing functionality that 
scores/determines the monitored events/code under investigation as valid/non- 
malicious code. 

However, Chess discloses applying a detection routine to the code under 
investigation to obtain a result, weighting such result to obtain a first score indicative of 
whether the code under investigation has characteristics and/or behaviors typically 
associated with malicious code with valid code (i.e., files determined to be non- 
malicious)^!. 5, lines 55-67 and col. 6, lines 1-21), and applying a second detection 
routine to the code under investigation to obtain a second result, weighting such second 
result to obtain a second score indicative of whether the code under investigation has 
characteristics and/or behaviors typically associated with malicious code (col. 6, lines 

19- 29); 

Moreover, Hill discloses using the scores (i.e., percentage of the security events 
per event type) to categorize the code under investigation (i.e., simulated attacks - 
wherein a simulated attack includes at least one of security event types) with respect to 
the likelihood of the code under investigation compromising the security of the computer 
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system (i.e., attack severity based on negative impact or security breach to the 
computer network)(col. 5, lines 45-67 and col. 6, lines 1-22). 

Therefore, it would have been obvious to a person of ordinary skill in the art at 
the time of applicant's invention to modify teachings of Kouznetsov with teachings of 
Chess because it would allow to score/determine the monitored events/code under 
investigation as valid/non-malicious and invalid/malicious code as disclosed by Chess. 
One of ordinary skill in the art would have been motivated by the suggestion of Chess to 
filter out undesirable mails (i.e., files) from client inboxes (Chess, col. 9, lines 23-30). It 
would have also been obvious to a person of ordinary skill in the art at the time of 
applicant's invention to modify the combined teachings of Kouznetsov and Chess with 
teachings of Hill because it would allow to categorize the code under investigation (i.e., 
simulated attacks - wherein a simulated attack includes at least one of security event 
types) with respect to the likelihood of the code under investigation compromising the 
security of the computer system as disclosed by Hill. One of ordinary skill in the art 
would have been motivated by the suggestion of Hill to provide knowledge of severity 
and overall nature of attack (Hill, col. 2, lines 45-60). 

Regarding claims 106 and 1 16, Kouznetsov discloses the method of claim 105, 
wherein the code under investigation has access to other active programs/code 
executing on the computer system (i.e., events such as program executions, sending of 
electronic mail, changing to security settings, impersonations, and etc. are 
monitored)(col. 5, lines 18-67 and col. 6, lines 1-30). 
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Regarding claims 107 and 118, Kouznetsov discloses the method of claim 105, 
further comprising: 

selecting, in turn, each additional active program on the computer system as 
code under investigation, and executing said MCDC with respect to said selected code 
under investigation (i.e., configured to monitor/analyze incoming system calls generated 
by the applications)(col. 5, lines 18-42). 

Regarding claims 109-114, Kouznetsov discloses the method of claim 105, 
wherein the malicious code includes monitoring software (i.e., events such as system 
calls having the ability to monitor system input/output activities are monitored)(col. 5, 
lines 18-67 and col. 6, lines 1-30). 

Chess discloses wherein the malicious code can include computer viruses, 
worms, or Trojan Horses (col. 3, lines 51-53). 

Hill further discloses that security event types may include destructive virus, 
snooping virus, worm, Trojan Horse, FTP requests, and network overload (col. 5, lines 
59-61). 

Regarding claim 129, Kouzentsov discloses the method of claim 105, further 

* 

comprising: 
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determining from the score (i.e., repetitions of suspicious behavioral patterns) 
that the code under investigation is malicious code (col. 5, lines 43-58 and col. 6, lines 
63-67 and col. 7, lines 1-10). 

Chess discloses determining from the scores (i.e., matches between code under 
investigation and the records of database 210 of known non-malicious files or the 
records of database 220 of known malicious code descriptions) that the code under 
investigation is malicious code (col. 6, lines 5-35). 

Regarding claim 130, Kouzentsov discloses the method of claim 129, wherein 
the malicious code does not have a known signature (i.e., a knowledge of specific, pre- 
identified computer viruses would not be necessary because behavioral patterns typical 
of computer viruses are observed. An example of malicious code with unknown 
signature is polymorphic viruses)(col. 2, lines 1-2 and lines 21-29). 

Regarding claim 131, Kouzentsov discloses the method of claim 105, wherein 
the detection routine examines the behavior of the suspicious code under investigation 
(i.e., static analyzer 52 performs behavior checking and generates alerts and 
histograms, wherein "behavior checking" is monitoring the occurrence of an event from 
the events list and dynamic analyzer 53 analyzes histograms and identifies behavioral 
repetitions within the histograms which indicate behavior characteristic of a computer 
virus, wherein such histograms are not know virus signatures associated with any 
virus)(col. 4, lines 47-67 and col. 5, lines 1-6). 
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Regarding claim 132, Chess discloses the method of claim 131 , wherein the 
detection routine examines the behavior of the valid and suspicious code under 
investigation (col. 5, lines 55-67 and col. 6, lines 1-29). 

Regarding claim 133, Kouzentsov discloses the method of claim 105, wherein 
the detection routine is not specific to the code under investigation (col. 4, lines 15-37). 

Regarding claims 135, 142 and 147, Chess discloses the method of claim 105, 
further comprising: 

determining from the first and second scores that the code under investigation is 
valid code (i.e., files determined to be non-malicious)(col. 5, lines 55-67 and col. 6, lines 
1-21). 

Regarding claim 137, Kouzentsov discloses the method of claim 105, further 
comprising: 

determining from the score that the code under investigation is suspicious code, 
wherein suspicious code has not been determined to be either valid or malicious code 
(i.e., the categories of the events that are monitored, e.g., events 1-9, col. 5, lines 25-40 
may or may not be malicious depending on the repetitions of suspicious behavioral 
patterns ... the observed group of suspicious events could "potentially" be 
malicious)(col. 4, lines 38-67 and col. 5, lines 1-67 and col. 6, lines 1-30). 
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Regarding claim 139, Kouzentsov discloses the system of claim 127, further 
comprising program instructions executable by the processor to: 

determining from the score (i.e., repetitions of suspicious behavioral patterns) 
that the code under investigation is malicious code (col. 5, lines 43-58 and col. 6, lines 
63-67 and col. 7, lines 1-10). 

Regarding claims 140, 160, and 161, Kouznetsov discloses the system of claim 
139, wherein the malicious code is a previously unknown malicious code (i.e., a 
knowledge of specific, pre-identified computer viruses would not be necessary because 
behavioral patterns typical of computer viruses are observed. An example of malicious 
code with unknown signature is polymorphic viruses)(col. 2, lines 1-2 and lines 21-29). 

Regarding claim 142, Chess discloses the system of claim 127, further 
comprising program instructions executable by the processor to: 

determine from the first and second scores that the code under investigation is 
valid code (i.e., files determined to be non-malicious)(col. 5, lines 55-67 and col. 6, lines 
1-21). 

* 

Regarding claims 144 and 149, Kouzentsov discloses the system of claim 127, 
further comprising program instructions executable by the processor to: 
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determining from the score that the code under investigation is suspicious code 
(i.e., the categories of the events that are monitored, e.g., events 1-9, col. 5, lines 25-40 
may or may not be malicious depending on the repetitions of suspicious behavioral 
patterns ... the observed group of suspicious events could "potentially" be 
malicious)(col. 4, lines 38-67 and col. 5, lines 1-67 and col. 6, lines 1-30). 

Regarding claim 145, Kouzentsov discloses the memory medium of claim 128, 
further comprising program instructions executable to: 

determining from the score (i.e., repetitions of suspicious behavioral patterns) 
that the code under investigation is malicious code (col. 5, lines 43-58 and col. 6, lines 
63-67 and col. 7, lines 1-10). 

Chess discloses determining from the scores (i.e., matches between code under 
investigation and the records of database 210 of known non-malicious files or the 
records of database 220 of known malicious code descriptions) that the code under 
investigation is malicious code (col. 6, lines 5-35). 

Regarding claim 146, Kouzentsov discloses the memory medium of claim 145, 
wherein the malicious code is a previously unknown type of malicious code (i.e., a 
knowledge of specific, pre-identified computer viruses would not be necessary because 
behavioral patterns typical of computer viruses are observed. An example of malicious 
code with unknown signature is polymorphic viruses)(col. 2, lines 1-2 and lines 21-29). 
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Regarding claim 147, Kouzentsov discloses the memory medium of claim 128, 
further comprising program instructions executable to: 

determine from the first and second scores that the code under investigation is 
valid code (i.e., static analyzer 52 performs behavior checking and generates alerts and 
histograms only if patterns of suspicious events are observed)(col. 4, lines 38-67 and 
col. 5, lines 1-40). 

Regarding claims 134, 136, 138, 141, 143, 148, 150, 153-158, and 162-166, 
Kouzentsov discloses determining from the score (i.e., repetitions of suspicious 
behavioral patterns) that the code under investigation is malicious code (col. 5, lines 43- 
58 and col. 6, lines 63-67 and col. 7, lines 1-10). 

Chess further discloses wherein the determination that the code under 
investigation is malicious code is based on the first score not exceeding a valid code 
threshold value (i.e., matches between code under investigation and the records of 
database 210 of known non-malicious files) and the second score exceeding a 
malicious code threshold value (i.e., matches between code under investigation and the 
records of database 220 of known malicious code descriptions)(col. 6, lines 5-35). 
Chess further discloses clustering files within each classification by using a code- 
similarity metric to determine the similarity of the possibly-malicious code in each file to 
the corresponding code in the other files and grouping together those files which are 
closest according to the metric (col. 7, lines 33-46). 
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Regarding claim 149, Kouzentsov discloses the memory medium of claim 128, 
further comprising program instructions executable to: 

determine from the first and second scores that the code under investigation is 
suspicious code (col. 4, lines 38-67 and col. 5, lines 1-40). 



Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Arezoo Sherkat whose telephone number is (571) 272- 
3796. The examiner can normally be reached on 8:00-4:30 Monday-Friday. 



1 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



A.S. 

Patent Examiner 
Group 2131 
Dec. 10, 2007 
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